{This entry written over a course of several weeks}
I attend a group called the “Gaggle”, see http://www.goslingcommunity.org/ where I often argue, sometimes loudly (it’s a sports bar, so everything is loud) with Russell McOrmond (http://www.flora.ca/russell/ ). Russell is my best friend, business partner and we were each other’s best men.
So, it’s often surprising how violently we can disagree. It’s even more surprising when we are often violently agreeing. One problem that both Russell and I have, is that often we argue with each other, often thinking that we are in fact arguing with the “enemy”. It’s kind of like honing one’s skills, but often it gets in the way to actually communicating new ideas to each other.
Sort of like when the angry feminist goes into some store and asks to buy some bullets, and the clerk says, “I can’t sell you those bullets.” and the woman gets mad, assuming that the clerk is some kind of misogynist. The clerk finally explains, “No, it’s not because you are a women, it’s because I don’t have any in stock.”
An on-going argument is about the end-to-end issues on the Internet, and what constitutes “upload” vs “downloading”.
In general, I hate the terms. People who use the terms uploading and downloading are from the Bulletin Board Systems days, and from that kind of thinking. Unfortunately 99% of the users of the internet came to it sufficient late, and via dialup and “residential high speed”, that they actually have never really experienced the Internet of the 1980s, and the early 1990s.
Russell is also concerned about end-to-end issues.
(Please correct me if I am using any loaded terminology)
Russell explains that in Canada, “downloading” copyrighted works (such as an MP3) is not illegal, particularly if it gets put onto a levy’ed media such as a CDrom.
What is illegal is “uploading”. So, the theory goes, I am permitted to receive materials, but I am not permitted to send them. I can make a private copy – so I can borrow your CD, and I can copy it. That’s permitted. You can’t take your CD, make a copy and give it to me. That’s not permitted.
There is a lot of question of intent.
My major concern is that of enforcement.
At present a large number of “residential” ISPs (Rogers, Bell Sympatico) have a policy of “no servers”, and they regularly block various ports, sometimes blocking all incoming packets with the “SYN” bit set. A TCP SYN packet is what is used to start communication with a “server”. Any ISP that puts their customers behind a NAT, or encourages their customers to install NATs by not providing them with enough IP addresses is effectively blocking TCP SYN packets. Bell Sympatico GIVES people the NATs. (Who owns and controls them? That’s the topic of another article)
It’s not limited to residential services. A huge number of business people think that NATs have some kind of useful security function. The reality is that they simply cut of 50% of the functions of the Internet, which sometimes means that they cut out 50% of the security holes present in some desktop operation systems. Of course, you can cut out 100% of the holes by powering the desktop down as well. Since the NAT improves security by preventing legitimate uses, any measure that improves security, even if it prevents legitimate users, would by the arguments above, be legitimate. So, I would conclude that the power switch is much more secure than the NAT.
However, I do not believe that we need to prevent legitimate uses to improve security. Often we can improve one module’s security profile, by moving appropriate functionality to another: for instance, exchanging files by FTP or SFTP is much smarter and more secure than doing it by email, but we don’t do that because residential desktops do not have permanent identities on the network, and oh. yeah… that NAT. And people who exchange files are, by definition, evil.
As I explained that Friday (2005-05-27), I can’t tell, as a network operator, looking at the layer-3 part of the packet (the IP header) if the traffic is an “upload” or a “download”, or if it is a TCP SYN packet or not. (The two are not equivalent. I can certainly identify the TCP SYN packet, but the upload/download involves knowing intent, which requires much deeper packet inspection.)
The layer-3 information is the only information that a network element needs to look at. I claim that this is the only part of the packet that a network element is permitted to look at.
To understand my claim you need to have some history about phone taping. Since 1984 in the US the pen register was formally defined. See http://en.wikipedia.org/wiki/Pen_register for a good history.
This is important — access to the Pen Register is not considered a search, but at the same time, it isn’t public knowledge. From the above page:
That’s why the law in 1984 was necessary.
The question is then: what parts of the TCP/IP stack are covered by Pen registry legislation, and what parts are not? The US Congress even talked about this a bit:
[[http://canada.usembassy.gov/content/textonly.asp?section=can_usa&subsection1=borderissues&document=borderissues_ashcroft_092501][Border Issues Ashcroft]]
(search for “Pen Register”. This from September 25, 2001, about the Patriot act. I don’t know why it shows up under Canada.usembassy.gov…)
Another interesting link: http://www.interesting-people.org/archives/interesting-people/200204/msg00112.html
And another: http://www.volokh.com/2003_05_04_volokh_archive.html#200272201
So, back to end-to-end.
If it is the case that only numbers disclosed to the ISP for routing are part of the Pen Registry, then I read this very clearly: the IPv4 header contains that information.
The TCP header (in which the SYN flag, and the port numbers are) do not.
- Anyone filtering on TCP headers without the permission of both parties is performing an illegal search.*
Subsequent to when I started writing this entry, Sympatico announced they were amending their user agreement to get this kind of permission. That’s might be okay. We’d need to ask some critical questions before allowing citizens to give up their rights: did they have a choice? If all ISPs force citizens to do this, then perhaps there is a cartel? Some kind of collusion?
But, I have a simpler solution: any ISP that wants to do this is no longer a common carrier. They are now responsible for ALL content. Including the child porn found on a web server in Zealand that crosses their network.
But, back to “uploading” and “downloading”.
In Spain recently, it was reported in IRC (I do not have a good official reference, but would welcome one):
In Canada, we already have the tax on blank media, and generally this has permitting “downloading” to be legal, while “uploading” to not be legal.
Let’s say that Canada passes a law making it a “civil offense to upload”.
And let’s say someone wants to enforce this law. How can (technically) they do it? Simple: do not let TCP SYN packets to end users. Oh, wait. That requires a search warrant.
So the law enforcement agency has to have probable cause, and has to present a search warrant. That’s okay, since they had to have probably cause for a specific end-user, they can’t just let out a dragnet.
This is why I claim that nobody can tell (without a search warrant) if I am uploading and downloading, and thus, effectively, there can be no technical difference between the two operations.
Being able to enforce a law is one of the critical questions that law makers are supposed to ask. I conclude: you can not enforce such a law without violating everyone’s privacy rights.